yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: rename attr to client_attr 

client_attr is unique enough for all contexts
so the name can be unified from external responses
to internal template rendering, and rule-engine template rendering
This commit is contained in:
zmstone 2024-03-19 21:03:44 +01:00
parent cc4805b1ac
commit e5816f5a13
6 changed files with 37 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
apps/emqx/src/emqx_channel.erl
View File

@ -260,7 +260,7 @@ init(
is_bridge => false, is_bridge => false,
is_superuser => false, is_superuser => false,
enable_authn => maps:get(enable_authn, Opts, true), enable_authn => maps:get(enable_authn, Opts, true),
attrs => #{} client_attrs => #{}
}, },
Zone Zone
), ),
@ -1730,15 +1730,16 @@ do_authenticate(Credential, #channel{clientinfo = ClientInfo} = Channel) ->
%% Authentication result may include: %% Authentication result may include:
%% 1. `is_superuser': The superuser flag from various backends %% 1. `is_superuser': The superuser flag from various backends
%% 2. `acl': ACL rules from JWT, HTTP auth backend %% 2. `acl': ACL rules from JWT, HTTP auth backend
%% 3. `attrs': Extra client attributes from JWT, HTTP auth backend %% 3. `client_attrs': Extra client attributes from JWT, HTTP auth backend
%% 4. Maybe more non-standard fileds used by hook callbacks
merge_auth_result(ClientInfo, AuthResult0) when is_map(ClientInfo) andalso is_map(AuthResult0) -> merge_auth_result(ClientInfo, AuthResult0) when is_map(ClientInfo) andalso is_map(AuthResult0) ->
IsSuperuser = maps:get(is_superuser, AuthResult, false), IsSuperuser = maps:get(is_superuser, AuthResult0, false),
AuthResult = maps:without([attrs], AuthResult0), AuthResult = maps:without([client_attrs], AuthResult0),
Attrs0 = maps:get(attrs, ClientInfo, #{}), Attrs0 = maps:get(client_attrs, ClientInfo, #{}),
Attrs1 = maps:get(attrs, AuthResult0, #{}), Attrs1 = maps:get(client_attrs, AuthResult0, #{}),
Attrs = maps:merge(Attrs0, Attrs1), Attrs = maps:merge(Attrs0, Attrs1),
maps:merge( maps:merge(
ClientInfo#{attrs => Attrs}, ClientInfo#{client_attrs => Attrs},
AuthResult#{is_superuser => IsSuperuser} AuthResult#{is_superuser => IsSuperuser}
). ).

2
apps/emqx/src/emqx_types.erl
View File

@ -191,7 +191,7 @@
cn => binary(), cn => binary(),
dn => binary(), dn => binary(),
%% extra attributes %% extra attributes
attrs => client_attrs(), client_attrs => client_attrs(),
atom() => term() atom() => term()
}. }.
-type client_attrs() :: #{binary() => binary()}. -type client_attrs() :: #{binary() => binary()}.

6
apps/emqx_auth/src/emqx_authn/emqx_authn_utils.erl
View File

@ -32,6 +32,7 @@
render_urlencoded_str/2, render_urlencoded_str/2,
render_sql_params/2, render_sql_params/2,
is_superuser/1, is_superuser/1,
client_attrs/1,
bin/1, bin/1,
ensure_apps_started/1, ensure_apps_started/1,
cleanup_resources/0, cleanup_resources/0,
@ -204,6 +205,11 @@ is_superuser(#{<<"is_superuser">> := Value}) ->
is_superuser(#{}) -> is_superuser(#{}) ->
#{is_superuser => false}. #{is_superuser => false}.
client_attrs(#{<<"client_attrs">> := Attrs}) ->
#{client_attrs => Attrs};
client_attrs(_) ->
#{client_attrs => #{}}.
ensure_apps_started(bcrypt) -> ensure_apps_started(bcrypt) ->
{ok, _} = application:ensure_all_started(bcrypt), {ok, _} = application:ensure_all_started(bcrypt),
ok; ok;

2
apps/emqx_auth_http/src/emqx_authn_http.erl
View File

@ -198,7 +198,7 @@ handle_response(Headers, Body) ->
case maps:get(<<"result">>, NBody, <<"ignore">>) of case maps:get(<<"result">>, NBody, <<"ignore">>) of
<<"allow">> -> <<"allow">> ->
IsSuperuser = emqx_authn_utils:is_superuser(NBody), IsSuperuser = emqx_authn_utils:is_superuser(NBody),
Attrs = maps:get(<<"attrs">>, NBody, #{}), Attrs = emqx_authn_utils:client_attrs(NBody),
Result = maps:merge(IsSuperuser, Attrs), Result = maps:merge(IsSuperuser, Attrs),
{ok, Result}; {ok, Result};
<<"deny">> -> <<"deny">> ->

12
apps/emqx_auth_http/test/emqx_authn_http_SUITE.erl
View File

@ -533,7 +533,7 @@ samples() ->
{ok, Req, State} {ok, Req, State}
end, end,
config_params => #{}, config_params => #{},
result => {ok, #{is_superuser => false, attrs => #{}}} result => {ok, #{is_superuser => false, client_attrs => #{}}}
}, },
%% get request with json body response %% get request with json body response
@ -548,7 +548,7 @@ samples() ->
{ok, Req, State} {ok, Req, State}
end, end,
config_params => #{}, config_params => #{},
result => {ok, #{is_superuser => true, attrs => #{}}} result => {ok, #{is_superuser => true, client_attrs => #{}}}
}, },
%% get request with url-form-encoded body response %% get request with url-form-encoded body response
@ -566,7 +566,7 @@ samples() ->
{ok, Req, State} {ok, Req, State}
end, end,
config_params => #{}, config_params => #{},
result => {ok, #{is_superuser => true, attrs => #{}}} result => {ok, #{is_superuser => true, client_attrs => #{}}}
}, },
%% get request with response of unknown encoding %% get request with response of unknown encoding
@ -608,7 +608,7 @@ samples() ->
<<"method">> => <<"post">>, <<"method">> => <<"post">>,
<<"headers">> => #{<<"content-type">> => <<"application/json">>} <<"headers">> => #{<<"content-type">> => <<"application/json">>}
}, },
result => {ok, #{is_superuser => false, attrs => #{}}} result => {ok, #{is_superuser => false, client_attrs => #{}}}
}, },
%% simple post request, application/x-www-form-urlencoded %% simple post request, application/x-www-form-urlencoded
@ -634,7 +634,7 @@ samples() ->
<<"application/x-www-form-urlencoded">> <<"application/x-www-form-urlencoded">>
} }
}, },
result => {ok, #{is_superuser => false, attrs => #{}}} result => {ok, #{is_superuser => false, client_attrs => #{}}}
}, },
%% simple post request for placeholders, application/json %% simple post request for placeholders, application/json
@ -669,7 +669,7 @@ samples() ->
<<"cert_common_name">> => ?PH_CERT_CN_NAME <<"cert_common_name">> => ?PH_CERT_CN_NAME
} }
}, },
result => {ok, #{is_superuser => false, attrs => #{}}} result => {ok, #{is_superuser => false, client_attrs => #{}}}
}, },
%% custom headers %% custom headers

31
apps/emqx_auth_jwt/src/emqx_authn_jwt.erl
View File

@ -219,10 +219,11 @@ verify(undefined, _, _, _) ->
verify(JWT, JWKs, VerifyClaims, AclClaimName) -> verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
case do_verify(JWT, JWKs, VerifyClaims) of case do_verify(JWT, JWKs, VerifyClaims) of
{ok, Extra} -> {ok, Extra} ->
IsSuperuser = emqx_authn_utils:is_superuser(Extra),
Attrs = emqx_authn_utils:client_attrs(Extra),
try try
ACL = acl(Extra, AclClaimName), ACL = acl(Extra, AclClaimName),
Attrs = maps:get(<<"attrs">>, Extra, #{}), Result = maps:merge(IsSuperuser, maps:merge(ACL, Attrs)),
Result = maps:merge(Attrs, ACL),
{ok, Result} {ok, Result}
catch catch
throw:{bad_acl_rule, Reason} -> throw:{bad_acl_rule, Reason} ->
@ -245,20 +246,18 @@ verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
end. end.
acl(Claims, AclClaimName) -> acl(Claims, AclClaimName) ->
Acl = case Claims of
case Claims of #{AclClaimName := Rules} ->
#{AclClaimName := Rules} -> #{
#{ acl => #{
acl => #{ rules => parse_rules(Rules),
rules => parse_rules(Rules), source_for_logging => jwt,
source_for_logging => jwt, expire => maps:get(<<"exp">>, Claims, undefined)
expire => maps:get(<<"exp">>, Claims, undefined) }
} };
}; _ ->
_ -> #{}
#{} end.
end,
maps:merge(emqx_authn_utils:is_superuser(Claims), Acl).
do_verify(_JWT, [], _VerifyClaims) -> do_verify(_JWT, [], _VerifyClaims) ->
{error, invalid_signature}; {error, invalid_signature};